1# /proc/config.gz 2type config_gz, fs_type, proc_type; 3 4# /sys/fs/bpf/<dir> for mainline tethering use 5# TODO: move S+ fs_bpf_tethering here from public/file.te 6type fs_bpf_net_private, fs_type, bpffs_type; 7type fs_bpf_net_shared, fs_type, bpffs_type; 8type fs_bpf_netd_readonly, fs_type, bpffs_type; 9type fs_bpf_netd_shared, fs_type, bpffs_type; 10type fs_bpf_loader, fs_type, bpffs_type; 11type fs_bpf_uprobestats, fs_type, bpffs_type; 12type fs_bpf_memevents, fs_type, bpffs_type; 13 14# /data/misc/storaged 15type storaged_data_file, file_type, data_file_type, core_data_file_type; 16 17# /data/misc/wmtrace for wm traces 18type wm_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 19 20# /data/misc/a11ytrace for accessibility traces 21type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type; 22 23# /data/misc/perfetto-traces for perfetto traces 24type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type; 25 26# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports. 27type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type; 28 29# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis. 30type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type; 31 32# /data/misc/perfetto-configs for perfetto configs 33type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; 34 35# /system/etc/perfetto for perfetto configs 36type system_perfetto_config_file, file_type, system_file_type; 37 38# /data/misc/uprobestats-configs for uprobestats configs 39type uprobestats_configs_data_file, file_type, data_file_type, core_data_file_type; 40 41# /apex/com.android.art/bin/oatdump 42# TODO (b/350628688): Remove this once it's safe to do so. 43type oatdump_exec, system_file_type, exec_type, file_type; 44 45# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes 46type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type; 47# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes 48type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 49 50# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. 51type debugfs_kcov, fs_type, debugfs_type; 52 53# App executable files in /data/data directories 54type app_exec_data_file, file_type, data_file_type, core_data_file_type; 55typealias app_exec_data_file alias rs_data_file; 56 57# /data/misc_[ce|de]/rollback : Used by installd to store snapshots 58# of application data. 59type rollback_data_file, file_type, data_file_type, core_data_file_type; 60 61# /data/misc_ce/checkin for checkin apps. 62type checkin_data_file, file_type, data_file_type, core_data_file_type; 63 64# /data/gsi/ota 65type ota_image_data_file, file_type, data_file_type, core_data_file_type; 66 67# /data/gsi_persistent_data 68type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type; 69 70# /data/misc/emergencynumberdb 71type emergency_data_file, file_type, data_file_type, core_data_file_type; 72 73# /data/misc/profcollectd 74type profcollectd_data_file, file_type, data_file_type, core_data_file_type; 75 76# /data/misc/apexdata/com.android.art 77type apex_art_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 78 79# /data/misc/apexdata/com.android.art/staging 80type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; 81 82# /data/misc/apexdata/com.android.compos 83type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 84 85# /data/misc/apexdata/com.android.virt 86type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 87 88# /data/misc/apexdata/com.android.tethering 89type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 90 91# /data/misc/apexdata/com.android.uwb 92type apex_uwb_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 93 94# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained 95# for backward compatibility b/217581286 96type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 97type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 98type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 99type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type; 100 101# /data/font/files 102type font_data_file, file_type, data_file_type, core_data_file_type; 103 104# /data/misc/dmesgd 105type dmesgd_data_file, file_type, data_file_type, core_data_file_type; 106 107# /data/misc/odrefresh 108type odrefresh_data_file, file_type, data_file_type, core_data_file_type; 109 110# /data/misc/odsign 111type odsign_data_file, file_type, data_file_type, core_data_file_type; 112 113# /data/misc/odsign_metrics 114type odsign_metrics_file, file_type, data_file_type, core_data_file_type; 115 116# /data/misc/virtualizationservice 117# The type needs to be mlstrustedobject to allow for being accessed from 118# virtualizationmanager, which runs at a more constrained MLS level. 119type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; 120 121# /mnt/vm 122type vm_data_file, file_type, core_data_file_type; 123 124# /data/system/environ 125type environ_system_data_file, file_type, data_file_type, core_data_file_type; 126 127# /data/misc/bootanim 128type bootanim_data_file, file_type, data_file_type, core_data_file_type; 129 130# /dev/kvm 131# The type needs to be mlstrustedobject to allow for being accessed from 132# crosvm, which runs at a more constrained MLS level. 133type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type; 134 135# /apex/com.android.virt/bin/fd_server 136type fd_server_exec, system_file_type, exec_type, file_type; 137 138# /apex/com.android.compos/bin/compsvc 139type compos_exec, exec_type, file_type, system_file_type; 140# /apex/com.android.compos/bin/compos_key_helper 141type compos_key_helper_exec, exec_type, file_type, system_file_type; 142 143# Filesystem entry for for PRNG seeder socket. Processes require 144# write permission on this to connect, and needs to be mlstrustedobject 145# in to satisfy MLS constraints for trusted domains. 146type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject; 147 148# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf 149type sysfs_dt_avf, fs_type, sysfs_type; 150type proc_dt_avf, fs_type, proc_type; 151 152# Type for /system/fonts/font_fallback.xm 153type system_font_fallback_file, system_file_type, file_type; 154 155# Type for /sys/devices/uprobe. 156type sysfs_uprobe, fs_type, sysfs_type; 157 158# Type for aconfig daemon socket 159type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject; 160 161# Type for aconfig mainline daemon socket 162type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject; 163 164# Type for /(system|system_ext|product)/etc/aconfig 165type system_aconfig_storage_file, system_file_type, file_type; 166 167# Type for /vendor/etc/aconfig 168type vendor_aconfig_storage_file, vendor_file_type, file_type; 169 170# /data/misc/connectivityblobdb 171type connectivityblob_data_file, file_type, data_file_type, core_data_file_type; 172 173# /data/misc/wifi/mainline_supplicant 174type mainline_supplicant_data_file, file_type, data_file_type, core_data_file_type; 175 176# Type for /mnt/pre_reboot_dexopt 177type pre_reboot_dexopt_file, file_type; 178 179# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot 180# This type is set on the directory through the `rootcontext=` mount option. 181type pre_reboot_dexopt_artd_file, file_type; 182 183# /data/app-metadata - extracted app metadata bundles from APKs 184type apk_metadata_file, file_type, data_file_type, core_data_file_type; 185 186# Type for /sys/kernel/mm/pgsize_migration/enabled 187type sysfs_pgsize_migration, fs_type, sysfs_type; 188 189# /sys/firmware/acpi/tables 190type sysfs_firmware_acpi_tables, fs_type, sysfs_type; 191 192# Allow files to be created in their appropriate filesystems. 193allow fs_type self:filesystem associate; 194allow cgroup tmpfs:filesystem associate; 195allow cgroup_v2 tmpfs:filesystem associate; 196allow cgroup_rc_file tmpfs:filesystem associate; 197allow sysfs_type sysfs:filesystem associate; 198allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; 199allow file_type labeledfs:filesystem associate; 200allow file_type tmpfs:filesystem associate; 201allow file_type rootfs:filesystem associate; 202allow dev_type tmpfs:filesystem associate; 203allow app_fuse_file app_fusefs:filesystem associate; 204allow postinstall_file self:filesystem associate; 205allow proc_net proc:filesystem associate; 206 207# It's a bug to assign the file_type attribute and fs_type attribute 208# to any type. Do not allow it. 209# 210# For example, the following is a bug: 211# type apk_data_file, file_type, data_file_type, fs_type; 212# Should be: 213# type apk_data_file, file_type, data_file_type; 214neverallow fs_type file_type:filesystem associate; 215# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it 216type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type; 217# app storage areas: /data/storage_area/userId/pkgName/storageAreaName 218type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type; 219# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/* 220type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type; 221 222# /data/misc_ce/userId/storage_area_keys 223type storage_area_key_file, file_type, data_file_type, core_data_file_type; 224 225# /metadata/tradeinmode files 226type tradeinmode_metadata_file, file_type; 227 228# /metadata/prefetch files 229type prefetch_metadata_file, file_type; 230 231# Types added in 202504 in public/file.te 232until_board_api(202504, ` 233 type binderfs_logs_transactions, fs_type; 234 type binderfs_logs_transaction_history, fs_type; 235') 236 237until_board_api(202504, ` 238 type proc_cgroups, fs_type, proc_type; 239') 240 241until_board_api(202504, ` 242 type sysfs_udc, fs_type, sysfs_type; 243') 244 245until_board_api(202504, ` 246 type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type; 247 type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type; 248') 249 250until_board_api(202504, ` 251 # boot otas for 16KB developer option 252 type vendor_boot_ota_file, vendor_file_type, file_type; 253') 254 255until_board_api(202504, ` 256 type tee_service_contexts_file, system_file_type, file_type; 257') 258 259## END Types added in 202504 in public/file.te 260 261